Re: 2 SSH questions: why does it pause so much, and, can I keep connection alive?

From: Darren Tucker (
Date: 04/02/04

  • Next message: Darren Tucker: "Re: OpenSSH 3.8p1 Privilege Separation and "connection closed" error at KEXINIT"
    Date: Fri, 2 Apr 2004 02:24:40 +0000 (UTC)

    In article <>,
    Michael Levin <> wrote:
    >I believe the server is behind a firewall. Iım sorry Iım not up on the
    >details here. Whatıs this state-table timeout? Iım assuming it can cause
    >these pauses; if so, is there anything that can be done to help the
    >situation? Maybe I can talk to the sysadmin there, if I knew what I was
    >asking him to do...

    The exact details are usually product-specific, but the basics are:

    Stateful-inspection type firewalls keep track of connections running
    through them in a "state table". When a packet arrives, its source IP,
    destination IP, source port and destination port are checked against the
    state table, and if it matches the packet is let through. If the packet
    is not in the state table, the rulebase is checked and if it's permitted,
    then the connection is added to the state table. When the connection
    closes, it is removed from the state table.

    The catch here is in some cases, (eg crashing clients, or half-open
    port scans) the connection is never closed, and the table risks growing
    without limit. To combat this, a timeout is enforced where any connection
    that has not seen a packet within X seconds is aged out of the table.

    Some systems have a mechanism whereby an active connection can be put
    back in the state table (again, this is product-specific).

    > Iım running OpenSSH 3.6.1 on Mac OSX. I scoured the OpenSSH website, and
    >while they say the 3.8 is out, I donıt see a TAR archive for 3.8 anywhere,
    >and I donıt see an OSX executable anywhere either. Do you by any chance know
    >where I can get 3.8 (hopefully executable for OS X, or if not, something
    >which will compile on OSX)? Currently, thereıs no file name ssh_config on my
    >system. Is this a 3.8-specific thing, or should there be one somewhere for
    >3.6 as well?

    All versions of OpenSSH will read an ssh_config file. (There are sensible
    defaults, so it can survive without it).

    As for downloads:
    You want "openssh-3.8p1.tar.gz". The OpenSSH team don't offer binaries
    for OS X.

    > I tried this; when I first started SSH, it spit out a bunch of stuff
    >before it logged in. Then I logged in, and no special messages appeared at
    >all (it did the freeze thing once) - all I saw was what the server system
    >was saying (I worked in the shell, used Emacs, etc.). Then I logged out, and
    >it said a bunch of stuff as it exited. How does the vvv work ­ if there was
    >a problem during the session, would it superimpose its messages on the text
    >coming from the server?

    Yes, if there was something odd coming from the server (eg a rekey request)
    then it would have appeared in a "debug" message.

    Darren Tucker (dtucker at
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
        Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  • Next message: Darren Tucker: "Re: OpenSSH 3.8p1 Privilege Separation and "connection closed" error at KEXINIT"

    Relevant Pages

    • Re: peer to peer messaging
      ... attempts to open a connection to port 80 of the server at that IP address. ... For example a packet from my machine might have source IP ... Packets from the sever to my laptop would have those reversed. ...
    • [Full-disclosure] Quick Blind TCP Connection Spoofing with SYN Cookies
      ... TCP uses 32 bit Seq/Ack numbers in order to make sure that both sides of a connection can actually receive packets from each other. ... these numbers make it relatively hard to spoof the source address because successful spoofing requires guessing the correct initial sequence number which is generated by the server in a non-guessable way. ... This article shows that the effort required for guessing a valid ISN can be reduced from hours to minutes if the server uses TCP SYN Cookies, which are enabled by default for various Linux distributions including Ubuntu and Debian. ... The Client sends a SYN packet to the server in order to initiate a connection. ...
    • Re: At a loss figuring out if an IP is on LAN or INET
      ... What the server probably wants to check here is whether the IP in the ... packet header matched the IP in the packet data. ... multiple desktop machines behind "true NAT" firewalls. ... computer that just accepted the connection). ...
    • Re: Removing T/TCP and replacing it with something simpler
      ... > globally enabled on the machine and the server supports it too. ... The setsockoptoptimizes packet sending on the server ... >> established TCP connection, but blocks sending data until the ... > will go in one packet on the wire. ...
    • Re: asynchronous socket problem when connecting to localhost
      ... You server starts sending right after accepting connection. ... also ensure the packet goes to a correct client. ... it's the last packet I sent. ...